I work at a company that provides a SaaS program for other organizations, and each subscribed organization receives their own subdomain of their choosing - generally they choose the organization name. We recently discovered that there are tools that can use brute force DNS requests to enumerate the subdomains for a given domain. Our company would like to prevent this if possible, as someone could 'build' a list of our clients by doing so. I'm wondering if there is a way to 'rate-limit' DNS requests, in order to prevent this - we use Cloudflare as our DNS provider, and they do offer rate -limiting for http requests, but I haven't seen anything about DNS request, so I'm wondering if this is even possible.
Asked
Active
Viewed 157 times
1 Answers
4
TL;DR: What you want is not possible due to the way DNS works.
DNS does not work like HTTP where some client accesses a server and where this specific client can be rate-limited by this server. Instead DNS is a distributed directory service, consisting of many authoritative name servers which provide information about "their" domains and additional recursive name servers which collect and cache such information for their clients.
A request to resolve a specific domain will typically not come directly from the client but from another recursive name server which was asked by the client to resolve this domain. This means that there is no direct relationship between a DNS request received by the authoritative name server the and a client: the same client might use different recursive name servers so that the source of the request at the authoritative name server differs. And many client will usually use the same recursive name server so that any rate limiting will affect many clients and not only the specific client one likes to slow down.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
-
Thanks Steffen, that answered my question! – Daryl1976 Feb 10 '21 at 21:23